In the cloud, your data can get caught up in legal actions

We all know that the data we rely on to run our businesses can be subject to subpoena and other government actions. Such actions create additional risks when that data is in the cloud .

With cloud computing, data from multiple customers is typically commingled on the same servers. That means that legal action taken against another customer that is completely unrelated to your business could have a ripple effect. Your data could become unavailable to you just because it was being stored on the same server as data belonging to someone else that was subject to some legal action. For example, a search warrant issued for the data of another customer could result in your data being seized as well.

The news earlier this year about Megaupload , a cloud file storage and viewing service, provides a real, if extreme, example of how a customer could lose access to its data in the cloud. The federal indictments against the individuals behind Megaupload on multiple charges, including racketeering and criminal copyright infringement, resulted in law enforcement agencies seizing more than $50 million of Megaupload's assets. These actions were intended to stop any nefarious activities and collect evidence to be used in the case against Megaupload.

The catch is that a lot of people were using Megaupload for legitimate purposes . When the government took action against the alleged bad guys, those legitimate users also lost access to their data. It's a textbook example of how technology continues to outpace the law's ability to address the new questions that arise with cloud computing. For example, who is responsible for returning data to legitimate users?

With Megaupload essentially shut down, legitimate users couldn't retrieve their data directly as in the past. The government wouldn't release any data while it temporarily had custody of it to gather evidence, and when it was finished with that, it didn't want responsibility for sorting and returning data. Instead, it directed legitimate users to the two infrastructure-as-a-service providers used by Megaupload. The IaaS providers claimed that they had provided only raw infrastructure and never had access to customer data, and so they pointed customers full circle back to Megaupload. The Electronic Frontier Foundation has now stepped in to help sort out this mess .

How could a legitimate Megaupload customer have avoided getting caught up in this? Thoroughly vetting a cloud provider's background and business practices before using its service would be a good first step in most cases. Additionally, you could ensure that your contract obligates the cloud provider to effectively partition customer data. That way, there's at least a chance that law enforcement could seize a bad guy's data without touching yours.

The cloud also complicates things if your own data is subject to some legal action. If your data is subjected to a subpoena or other legal request for access, you have more direct control in managing its release if you are running in-house IT systems, because there is no one involved but you and the requestor. But if your data is in the cloud and the same situation comes up, the subpoena could be issued directly to the cloud provider and your data could be released without your knowledge.

To reduce the risks that come with this decreased control, it's important to determine in advance what your cloud provider's standard policies are regarding such legal requests. If the cloud provider does have such a policy in place, and it aligns with your needs, then negotiate to have that policy codified in the contract.

Your contract should also specify what the provider needs to do if any of your data becomes the subject of a subpoena or other legal or governmental request for access. For example, the contract should state that the cloud provider should:

* Notify you as soon as it receives any subpoena or legal request, ideally before it provides access to any of your data. (Be aware, though, that this may not always be possible in situations where the Patriot Act comes into play.)

* Limit any release of your data to the maximum extent legally possible.

* Provide you with a copy of any response it makes to any subpoena or legal request involving access to your data.

If you're interested in learning more about cloud computing risk mitigation via contract negotiation and vendor management, then please save the date for July 16-17, 2012, when I'll again be presenting my UCLA seminar Contracting for Cloud Computing Services .

Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com .

Slideshows

ARN Exchange: Channel discusses security spending priorities

Customers spending priorities, drawing up a security strategy for customers and partners, detailing how partners can increase profit through security and outlining key areas of market growth ahead were some of the topics discussed at the ARN Exchange event in Sydney. Partners got together to talk about the spending priorities of customers within the security market today and the skills required from partners to deliver those services. The event was in association with Juniper Networks, Webroot, Cloud Plus and Mimecast. Photos by Christine Wong.

What are the spending priorities of customers within the security market today and what are the skills required from partners to deliver those services? An overview of the security market in Australia was debated in the ARN Exchange event in Melbourne with discussions covering the customers spending priorities, drawing up a security strategy for customers and partners, detailing how partners can increase profit through security and outlining key areas of market growth ahead. The event was in association with Juniper Networks, Webroot, Cloud Plus and Mimecast. Photos by Raymond Korn.

The channel came together for the forth running of the ARN Emerging Leaders Forum in Australia, created to provide a program that identifies, educates and showcases the upcoming talent of the ICT industry.
Hosted as a half day forum, attendees heard from industry specialists as keynoters and panellists discussed leadership paths and career choices. Hall of Fame members and industry mentors​ hosted small groups of future leaders to mentor and advise.
This also marked ARN's inaugural 30 Under 30 Tech Awards, which recognised young talent in the Australian IT industry across technical, sales, marketing, management, human resources and entrepreneur categories.
Photos by Christine Wong.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.